[Freeipa-devel] Re: [PATCHES] Migration wrap-up.

Rob Crittenden rcritten at redhat.com
Fri Dec 4 17:06:06 UTC 2009 

Pavel Zůna wrote:
> Okey, I think my migration patches are ready for submission.
> 
> What's new?
> 
> - No more forced password change after migration, unless the password 
> doesn't meet IPA password policy. Expiration time sets correctly (hooray!).
> - Migration mode (adding entries with pre-hashed passwords) can now be 
> turned ON/OFF using the ipaMigrationEnabled attribute in ipaConfig entry.
> - New fancy password migration page using HTML form based 
> authentication. (CSS and looks in general will probably have to change 
> to visually go with the rest of the webUI.)
> - Better error/log messages and some general code clean up.
> 
> I didn't change the migration plugin to use IPA commands. Believe me, I 
> tried. There's just too much overhead and additional work:
> 
> - We need to sanitize data from DS before we feed it to the IPA commands 
> and it's not just converting them to unicode.
> - There are attributes our commands do not accept as parameters and 
> setattr/addattr doesn't really help that much there. It's going to be 
> even worst when custom schemas kick in. Our commands also make some 
> assumptions about attributes - like givenName/sn being required etc. 
> It's just too hard to do it properly in a generic way.
> - Using IPA commands generates at least 4 times more LDAP requests.
> - The code is also longer.
> 
> The migration plugin might still need some work and I'm thinking of ways 
> to make it better, more readable and maintainable, but if the other 
> patches pass and there's no big problems with it, I say we should push 
> it, so that QE can do some testing.
> 
> I'm currently writing a wiki page with step by step migration guide, but 
> I left it open at the office and I'm sick at home at the moment, so I'm 
> going to resume when back. I will also setup a testing environment on 
> the blades for DS to IPA migration.
> 
> Pavel

A few comments:

- The comment block in ipapwd_pre_bind() is incorrect. It says that it 
will generate a principal name.
- You check for the existence of userPassword in the entry. Since you've 
already made sure a simple bind was successful I don't think this is 
necessary, it is implicit, right? I suppose it doesn't hurt anything.
- Under what conditions would the bind password not be found in the 
userPassword attribute?
- Why the formatting change to ipaEscrowKeyCertificate and ipaEscrowKey?
- There are a number of typos on the migration HTML pages:
    - There was a problem with you request.
    - If the problem persists, contact you administrator.
    - migrated to a new Indentity management solution
    - Upon successfull login
- There are a number of ways to get redirected to 
/ipa/migration/error.html and invalid.html. Should some logging be added 
so an admin can debug why failures occur?
- Can you add a validator for the LDAP uri and perhaps an example somewhere?
- When migrating users/groups do we want an option to maintain existing 
uid/gid?
- Is there a reason you're using pure ldap calls instead of the ldap2 
plugin?

rob

More information about the Freeipa-devel mailing list